b'January 2007\nReport No. 07-002\n\n\nThe Division of Supervision and\nConsumer Protection\xe2\x80\x99s Information\nTechnology-Risk Management Program\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                                            Report No. 07-002\n                                                                                                January 2007\n\n\n                                      The Division of Supervision and Consumer Protection\xe2\x80\x99s\n                                      Information Technology-Risk Management Program\n\n                                      Results of Audit\nBackground and                        DSC has established procedures within the IT-RMP for addressing IT security\nPurpose of Audit                      risks at FDIC-supervised financial institutions. These procedures address most of\n                                      the information security requirements contained in interagency guidance. Our\nInformation is one of a financial     review of 12 IT examinations found that examiners generally followed the\ninstitution\xe2\x80\x99s most important          procedures outlined in the IT-RMP, and in doing so, carried out the following\nassets. Protection of information     activities:\nassets is necessary to establish\nand maintain trust between the\n                                      \xe2\x80\xa2 Identified the risks and technology deployed at the institution for the purpose\nfinancial institution and its              of determining examination staffing needs.\ncustomers, maintain compliance        \xe2\x80\xa2 Reviewed the financial institution\xe2\x80\x99s Officer\xe2\x80\x99s Questionnaire regarding the\nwith the law, and protect the              bank\xe2\x80\x99s risk management practices.\nreputation of the institution.        \xe2\x80\xa2 Performed onsite examination procedures to assess the financial institution\xe2\x80\x99s\nInformation security is the process\n                                           information security program.\nby which an organization protects\nand secures its systems, media,       \xe2\x80\xa2 Assigned an IT composite rating at the conclusion of the examination and\nand facilities that process and            reported IT examination findings in the report of examination.\nmaintain information vital to its\noperations.                           However, improvements to the IT-RMP program would help to ensure adequate\nInteragency guidelines require        and consistent implementation of the IT-RMP and related examination\nfinancial institutions to implement   procedures. Specifically, DSC could revise certain IT-RMP tools to assist\na comprehensive written               examiners in more effectively identifying relevant IT security risks to be assessed.\ninformation security program. To      We concluded that DSC could:\nensure that FDIC-supervised           \xe2\x80\xa2 Clarify in the IT-RMP guidance the purpose and use of the Technology\nfinancial institutions implement\n                                          Profile Script, which is used to determine examiner staffing needs, or\nadequate information security\nprogram controls, the Corporation         reevaluate the benefits of continued use of this tool.\nconducts periodic onsite              \xe2\x80\xa2 Enhance the Officer\xe2\x80\x99s Questionnaire provided to the financial institution to\ninformation technology (IT)               address certain information security requirements contained in interagency\nexaminations and, in August               guidelines.\n2005, the Division of Supervision     \xe2\x80\xa2 Modify IT-RMP guidance to (a) replace some \xe2\x80\x9cyes/no\xe2\x80\x9d questions in the\nand Consumer Protection (DSC)\nestablished the Information\n                                          Officer\xe2\x80\x99s Questionnaire with more descriptive questions and (b) require that\nTechnology-Risk Management                examiners evaluate, based on identified risks, a sample of positive responses\nProgram (IT-RMP). IT-RMP                  to questions in the Officer\xe2\x80\x99s Questionnaire to ensure their accuracy.\nreplaced the broad-based              \xe2\x80\xa2 Expand instructions for the Summary Analysis, an IT-RMP examination\ntechnology and control reviews            scoping and reporting tool, to clarify the extent to which examiners should\nconducted under the former IT             document an institution\xe2\x80\x99s risk profile and corresponding procedures to\nexamination program.\n                                          address the risks.\nThe objective of this audit was to\ndetermine whether the FDIC has        DSC also needs to update IT-RMP guidance to more clearly address the\nestablished and implemented           methodology examiners should use in deriving the IT composite rating for a\nadequate procedures for\n                                      financial institution. Clarified guidance could increase assurance that IT ratings\naddressing IT security risks at\nFDIC-supervised institutions that     accurately and consistently reflect the effectiveness of an institution\xe2\x80\x99s IT risk\noffer electronic banking products     management practices and the adequacy of its information security program.\nand services. We focused this\nreview on the IT-RMP and DSC\xe2\x80\x99s        The report makes seven recommendations to enhance the tools and guidance\nexaminer training framework in        under the IT-RMP methodology and the IT training programs. FDIC\nrelationship to the new program.      management generally agreed with our recommendations and is taking responsive\n                                      action to review DSC\xe2\x80\x99s tools, guidance, and training programs as part of an\nTo view the full report, go to        evaluation of the first year of performance under the IT-RMP program and will\nwww.fdicig.gov/2007reports.asp        issue revised guidance or make enhancements as deemed necessary.\n\x0c                            TABLE OF CONTENTS\n\n\nBACKGROUND                                                             1\n\nRESULTS OF AUDIT                                                       5\n\nIT-RMP TOOLS                                                           6\n   Technology Profile Script                                           6\n   IT Examination Officer\xe2\x80\x99s Questionnaire (Officer\xe2\x80\x99s Questionnaire)    8\n   IT Snapshot Work Program (Work Program)                            10\n   IT Summary Analysis (Summary Analysis)                             11\n   RECOMMENDATIONS                                                    13\n\nIT COMPOSITE SCORING                                                  14\n   IT Composite Ratings Definitions and Development                   15\n   IT Rating Documentation                                            17\n   RECOMMENDATION                                                     17\n\nEXAMINER IT TRAINING                                                  17\n  Alignment of IT-RMP Training                                        17\n  IT On-the-Job Training (IT-OJT) for Non-IT Examiners                18\n  RECOMMENDATIONS                                                     19\n\nCORPORATION COMMENTS AND OIG EVALUATION                               20\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                         21\nAPPENDIX II: IT-RMP EXAMINATION STEPS                                 26\nAPPENDIX III: IT EXAMINATION RESOURCE STRATEGY\n              MATRIX                                                  27\nAPPENDIX IV: FFIEC URSIT COMPOSITE RATINGS\n              DEFINITIONS                                             29\nAPPENDIX V: CORPORATION COMMENTS                                      31\nAPPENDIX VI: MANAGEMENT RESPONSE TO\n               RECOMMENDATIONS                                        35\n\nTABLE\nScoping Elements Related to Risk Profiling                            12\n\nFIGURE\nComposite Ratings for FDIC IT Examinations Conducted in the           16\nFirst Half of 2006\n\x0cACRONYMS\n\nACH        Automated Clearing House\nAMDS       Audit, Management, Development and Acquisition, and Support and\n           Delivery\nCPO        Corporate Performance Objective\nDSC        Division of Supervision and Consumer Protection\nFACT Act   Fair and Accurate Credit Transactions Act of 2003\nFDI        Federal Deposit Insurance\nFFIEC      Federal Financial Institutions Examination Council\nFIL        Financial Institution Letter\nGLBA       Gramm-Leach-Bliley Act\nIT         Information Technology\nITEC       Information Technology Examination Course\nIT-MERIT   Information Technology Maximum Efficiency, Risk-Focused, Institution\n           Targeted\nIT-OJT     Information Technology On-the-Job Training\nIT-RMP     Information Technology- Risk Management Program\nOIG        Office of Inspector General\nRDM        Regional Directors Memorandum\nRM         Relationship Manager\nROE        Report of Examination\nTSP        Technology Service Provider\nURSIT      Uniform Rating System for Information Technology\nU.S.C.     United States Code\nViSION     Virtual Supervisory Information on the Net\n\x0cFederal Deposit Insurance                                                                       Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                            Office of Inspector General\n\n\nDATE:                                     January 10, 2007\n\nMEMORANDUM TO:                            Sandra L. Thompson, Director\n                                          Division of Supervision and Consumer Protection\n\nFROM:                                     Russell A. Rau [Electronically produced version; original\n                                          signed by Russell A. Rau]\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  The Division of Supervision and Consumer Protection\xe2\x80\x99s\n                                          Information Technology-Risk Management Program\n                                          (Report No. 07-002)\n\n\nThis report presents the results of our audit of the Division of Supervision and Consumer\nProtection\xe2\x80\x99s (DSC) procedures for addressing information technology (IT) security risks\nat FDIC-supervised financial institutions. To ensure that FDIC-supervised financial\ninstitutions implement adequate information security program controls, DSC conducts\nperiodic onsite IT examinations generally in concert with its safety and soundness\nexaminations.\n\nThe objective of the audit was to determine whether the FDIC had established and\nimplemented adequate procedures for addressing IT security risks at FDIC-supervised\nfinancial institutions that offer electronic banking products and services. We focused this\naudit on DSC\xe2\x80\x99s Information Technology-Risk Management Program (IT-RMP), an\nexamination process implemented in August 2005 and designed to review a financial\ninstitution\xe2\x80\x99s information security program and related risk-management practices.1\nAppendix I of this report discusses our audit objective, scope, and methodology in detail.\n\nBACKGROUND\n\nInformation is one of a financial institution\xe2\x80\x99s most important assets. Protection of\ninformation assets is necessary to establish and maintain trust between the financial\ninstitution and its customers, maintain compliance with the law, and protect the\nreputation of the institution. Timely and reliable information is necessary to process\ntransactions and support financial institution and customer decisions. A financial\ninstitution\xe2\x80\x99s earnings and capital can be adversely affected if information becomes known\nto unauthorized parties, is altered, or is not available when it is needed.\n\nInformation security is the process by which an organization protects and secures its\nsystems, media, and facilities that process and maintain information vital to its\n\n1\n The FDIC Office of Inspector General (OIG) is evaluating FDIC examiners\xe2\x80\x99 use of a subset of the IT-\nRMP examination procedures related to technology service providers (TSP). The results of that audit will\nbe published in a separate report.\n\x0coperations. On a broad scale, financial institutions have a primary role in protecting the\nnation\xe2\x80\x99s financial services infrastructure. The security of the financial institutions\xe2\x80\x99\nsystems and information is essential to their safety and soundness and to the privacy of\ncustomer information.\n\nOrganizations often inaccurately perceive information security as the state or condition of\ncontrols at a point in time. Security is an ongoing process, whereby the condition of a\nfinancial institution\xe2\x80\x99s controls is just one indicator of its overall security posture. Other\nindicators include the ability of the institution to continually assess its posture and react\nappropriately in the face of rapidly changing threats, technologies, and business\nconditions. A financial institution establishes and maintains effective information\nsecurity when it continuously integrates processes, people, and technology to mitigate\nrisk in accordance with risk assessment and acceptable risk-tolerance levels.\n\nInteragency Guidelines Establishing Information Security Standards\n\nPursuant to section 39 of the Federal Deposit Insurance (FDI) Act, and sections 501 and\n505(b) of the Gramm-Leach-Bliley Act (GLBA), the federal banking agencies issued\nInteragency Guidelines Establishing Information Security Standards (Guidelines). These\nGuidelines address standards for developing and implementing administrative, technical,\nand physical safeguards to protect the security, confidentiality, and integrity of customer\ninformation. The Guidelines require each financial institution to implement a\ncomprehensive written information security program designed to:\n\n   \xe2\x80\xa2   ensure the security and confidentiality of customer information;\n   \xe2\x80\xa2   protect against any anticipated threats or hazards to the security or integrity of\n       such information; and\n   \xe2\x80\xa2   protect against unauthorized access to or use of such information that could result\n       in substantial harm or inconvenience to any customer.\n\nThe Guidelines further require that the board of directors or an appropriate committee of\nthe board of each financial institution:\n\n   \xe2\x80\xa2   approve the financial institution\xe2\x80\x99s written information security program and\n   \xe2\x80\xa2   oversee the development, implementation, and maintenance of the financial\n       institution\xe2\x80\x99s information security program, including assigning specific\n       responsibility for its implementation and reviewing reports from management.\n\n\n\n\n                                              2\n\x0cFFIEC Information Security Booklet\n\nIn July 2006, the Federal Financial Institutions Examination Council (FFIEC) issued\nrevised guidance for examiners and financial institutions in identifying information\nsecurity risks and evaluating the adequacy of controls and applicable risk management\npractices of financial institutions. The Information Security Booklet is 1 of 12 that, in\ntotal, comprise the FFIEC IT Examination Handbook. The Information Security Booklet\ndescribes how an institution should protect and secure the systems and facilities that\nprocess and maintain information and builds on the Guidelines (discussed above) by\nproviding additional and more detailed explanations of sound security-process elements.\nThe booklet states that financial institutions and TSPs must maintain effective security\nprograms tailored to the complexity of their operations. The July 2006 Information\nSecurity Booklet updated a 2002 version and addressed changes in technology, risk\nassessments, mitigation strategies, and regulatory guidance.\n\nDSC\xe2\x80\x99s IT-Risk Management Program\n\nDSC generally conducts IT examinations in conjunction with safety and soundness\nexaminations every 12 or 18 months, depending on the asset size and financial condition\nof the institution. Institutions found to be in noncompliance with the Guidelines can face\nsupervisory actions ranging from informal agreements to civil monetary penalties or\nother enforcement actions.\n\nIn 2005, DSC updated its risk-\nfocused IT examination                  The Five Key Areas of Focus Under IT-RMP\nprocedures for FDIC-supervised          \xe2\x80\xa2 Risk Assessment\nfinancial institutions. DSC issued      \xe2\x80\xa2 Operations Security and Risk Management\na Regional Directors                    \xe2\x80\xa2 Audit and Independent Review\nMemorandum (RDM),                       \xe2\x80\xa2 Disaster Recovery and Business Continuity\nInformation Technology \xe2\x80\x93 Risk           \xe2\x80\xa2 Compliance with Part 364, Appendix B, of the\nManagement Program (IT-RMP)                FDIC\xe2\x80\x99s Rules and Regulations\non August 15, 2005, to implement\nthe IT-RMP and related                  Source: RDM 2005-031.\nexamination procedures (RDM 2005-031). The IT-RMP replaced the broad-based\ntechnology and control reviews conducted under the former IT-Maximum Efficiency,\nRisk Focused, Institution Targeted (IT-MERIT) program and related work programs with\na top-down approach to assess the adequacy of an institution\xe2\x80\x99s information security\nprogram. The IT-RMP places considerable emphasis on management, information\nsecurity program content, and confirmations and assurances obtained through audit or\nindependent review. The IT-RMP integrates with the FDIC\xe2\x80\x99s Relationship Manager\nProgram2 by including the results of the IT examination within the safety and soundness\nReport of Examination (ROE) for all FDIC-supervised financial institutions, regardless of\nsize, technical complexity, or prior examination rating.\n\n2\n   DSC implemented the Relationship Manager Program in September 2005. A key aspect of this program\nis the designation of a Relationship Manager (RM) for every FDIC-supervised financial institution. Each\nRM serves as the designated local point-of-contact for the respective financial institutions in their portfolio.\n\n\n                                                       3\n\x0cKey components of the IT-RMP include the following:\n\n\xe2\x80\xa2   Technology Profile Script (Profile Script). A mandatory tool used to measure the\n    risk and complexity of technology deployed at an              Technology Profile Script\n    institution and to assess examination staffing needs.               Institution Types\n    Examiners use the Profile Script, which contains 20         Institutions for which IT\n    questions, to collect information about an institution\xe2\x80\x99s IT examinations had been started\n    environment and, using a numeric scoring process,           and completed from January 1,\n    categorize institutions into one of three risk/complexity   2006 to June 19, 2006:\n    categories (Type I&II, III, or IV). The categories are also\n                                                                Type I&II \xe2\x80\x93 328 institutions\n    used to assign appropriately-qualified IT examiners to IT\n                                                                Type III \xe2\x80\x93 385 institutions\n    examinations. Together with the Officer\xe2\x80\x99s Questionnaire     Type IV \xe2\x80\x93 37 institutions\n    (see below) and other information, the Profile Script is    Source: OIG-prepared from DSC\n    used to develop an institution risk profile and preliminary examination information.\n    examination scope.\n\n\xe2\x80\xa2   IT Examination Officer\xe2\x80\x99s Questionnaire (Officer\xe2\x80\x99s Questionnaire). A mandatory\n    tool examiners use to collect key information about an institution\xe2\x80\x99s IT environment\n    prior to conducting an IT examination. The questionnaire represents the financial\n    institution\xe2\x80\x99s self-assessment of its information security program and contains 85\n    questions, generally in a \xe2\x80\x9cyes/no\xe2\x80\x9d format, targeting the 5 key areas of focus under IT-\n    RMP. Information collected through the questionnaire is used with other relevant\n    information to support risk analysis and scoping of IT examinations. The\n    questionnaire must be signed by an executive-level management official of the\n    institution attesting to its accuracy and completeness.\n\n\xe2\x80\xa2   Flexible Use of Work Programs. The IT-RMP introduced a new IT Snapshot Work\n    Program (Work Program) and an IT Summary Analysis (Summary Analysis) that\n    examiners must use to document IT examination findings and conclusions.\n    Examiners may also use applicable FDIC- or FFIEC-approved work programs, FDIC\n    Financial Institution Letters (FIL), or other regulatory guidance in conducting an\n    examination. IT-RMP procedures provide examiners with considerable discretion in\n    determining the scope of an IT examination.\n\n\xe2\x80\xa2   IT Rating Guidelines. Examiners assign a single \xe2\x80\x9ccomposite\xe2\x80\x9d rating at the\n    conclusion of an IT examination using the Uniform Rating System for Information\n    Technology (URSIT). The rating reflects \xe2\x80\x9cthe effectiveness of an institution\xe2\x80\x99s IT risk\n    management practices and the completeness of its information security program.\xe2\x80\x9d3\n    The URSIT ratings are discussed in the IT Composite Scoring section of this report.\n\nAppendix II provides an overview of the IT-RMP examination procedures and illustrates\nthe tools used in the various stages of an IT examination.\n\n\n3\n  On January 13, 1999, the FFIEC adopted a revised URSIT to be used for IT examinations of all banks\nand TSPs. The URSIT rating is based on a risk evaluation of four critical components, namely: (1) Audit,\n(2) Management, (3) Development and Acquisition, and (4) Support and Delivery.\n\n\n                                                    4\n\x0cRESULTS OF AUDIT\n\nDSC has established procedures within the IT-RMP for addressing IT security risks at\nFDIC-supervised financial institutions. These procedures address most of the\ninformation security requirements contained in the Guidelines. Our review of 12 IT\nexaminations found that examiners generally followed the procedures outlined in the IT-\nRMP, and in doing so, carried out the following activities:\n\n\xe2\x80\xa2   Identified the risks and technology deployed at the institution for the purpose of\n    determining examination staffing needs.\n\xe2\x80\xa2   Reviewed the financial institution\xe2\x80\x99s Officer\xe2\x80\x99s Questionnaire regarding the bank\xe2\x80\x99s risk\n    management practices.\n\xe2\x80\xa2   Performed onsite examination procedures to assess the financial institution\xe2\x80\x99s\n    information security program.\n\xe2\x80\xa2   Assigned an IT composite rating at the conclusion of the examination and reported IT\n    examination findings in the ROE.\n\nHowever, improvements to the IT-RMP would help to ensure adequate and consistent\nimplementation of the IT-RMP and related examination procedures. Specifically, DSC\ncould revise certain IT-RMP tools to assist examiners in more effectively identifying\nrelevant IT security risks to be assessed. We concluded that DSC could:\n\n\xe2\x80\xa2   Clarify in the IT-RMP guidance the purpose and use of the Profile Script or\n    reevaluate the benefits of the continued use of this tool.\n\xe2\x80\xa2   Enhance the Officer\xe2\x80\x99s Questionnaire to address certain information security\n    requirements contained in the Guidelines.\n\xe2\x80\xa2   Modify IT-RMP guidance to (a) replace some \xe2\x80\x9cyes/no\xe2\x80\x9d questions in the Officer\xe2\x80\x99s\n    Questionnaire with more descriptive questions and (b) require that examiners\n    evaluate, based on identified risks, a sample of positive responses to questions in the\n    Officer\xe2\x80\x99s Questionnaire to ensure their accuracy.\n\xe2\x80\xa2   Expand instructions for the Summary Analysis to clarify the extent to which\n    examiners should document an institution\xe2\x80\x99s risk profile and corresponding procedures\n    to address risks (IT-RMP Tools).\n\nDSC also needs to update IT-RMP guidance to more clearly address the methodology\nexaminers should use in deriving the IT composite rating for a financial institution.\nClarified guidance could increase assurance that IT ratings accurately and consistently\nreflect the effectiveness of an institution\xe2\x80\x99s IT risk management practices and the\ncompleteness of its information security program (IT Composite Scoring).\n\nDSC is in the process of incorporating the IT-RMP approach into its examiner training\ncourses. In doing so, DSC needs to better align the examiner training program with the\ntop-down, risk-focused objective of the IT-RMP and consider expanding the program to\nensure that more examiners are sufficiently trained to perform effective IT examinations\n(Examiner IT Training).\n\n\n\n                                             5\n\x0cIT-RMP TOOLS\n\nAs described earlier, the IT-RMP includes key components for identifying and addressing\nIT risks at financial institutions: the Profile Script, Officer\xe2\x80\x99s Questionnaire, Work\nProgram, and Summary Analysis. Improvements could be made to these tools to help\nexaminers more effectively provide coverage of the most significant IT security risks.\n\nTechnology Profile Script\n\nDSC needs to reevaluate the benefits of the Profile Script within the IT-RMP program.\nDSC designed the Profile Script under the former IT-MERIT examination program to be\na standardized basic measurement of the complexity and risk of the technology deployed\nat a financial institution. The Profile Script was, and still is, the primary tool for\ncategorizing financial institutions into risk/complexity categories (Type I&II, III, or IV).\nUnder the previous IT-MERIT program, DSC used the Profile Script tool to:\n(1) determine the examination work program,4 report format, and rating format;\n(2) allocate examination resources and match examiner skills to the complexity of the\ninstitution; and (3) determine training needs.\n\nRDM 2005-031 states that, under the IT-RMP, the Profile Script \xe2\x80\x9c\xe2\x80\xa6will no longer\ndictate examiner scope, but should be used to assess examination staffing needs and\nchanges to the financial institution\xe2\x80\x99s technology environment.\xe2\x80\x9d The Profile Script\nconsists of 20 questions in 4 categories \xe2\x80\x93 Core Processing,\nNetworking, E-Banking, and Other. Seventeen of the                   Technology Profile\nquestions have a 5-point value, and the remaining three                Scoring Matrix\nquestions are valued at 10, 15, or 20 points. The total points   Type        Score Range\nof all four categories are added together to derive a financial   I&II            0-49\ninstitution\xe2\x80\x99s profile score, as shown in the Technology            III           50-79\nProfile Scoring Matrix. The resulting category or type is          IV           80-130\n                                                                Source: RDM 2005-031.\none factor that DSC considers in determining the\nappropriate examiner training and skill level needed to perform the IT examination, as\nillustrated in the FDIC\xe2\x80\x99s IT Examination Resource Strategy Matrix shown in\nAppendix III of this report.\n\nAlthough DSC refocused the use of the Profile Script, DSC elected not to revise the\ncontent of the tool. For example, the Profile Script used for the IT-RMP, an IT risk-\nmanagement-focused program, contains the identical questions and scoring matrix used\nin the previous IT-MERIT program, which was technology-based. Further, each\nfinancial institution continues to be categorized by type, using the existing Technology\nProfile Scoring Matrix. In addition, although the IT-RMP program description and\nrequirements state that the Profile Script will no longer dictate the examination scope, IT-\nRMP examination procedures in RDM 005-031 provide that the Profile Script will be\n\n4\n Under the IT-MERIT examination program, examiners were required to use the following work\nprograms: (a) Type I institutions \xe2\x80\x93 IT-MERIT Procedures, (b) Type II institutions \xe2\x80\x93 IT General Work\nProgram, (c) Type III institutions \xe2\x80\x93 IT General Work Program supplemented by FFIEC work programs, and\n(d) Type IV institutions \xe2\x80\x93 FFIEC work programs.\n\n\n                                                 6\n\x0cused as a scoping tool in concert with the Officer\xe2\x80\x99s Questionnaire and other information\nobtained prior to onsite work in developing an institution\xe2\x80\x99s risk profile.\n\nDSC examination personnel commented on the usefulness of the Profile Script. Some\nexaminers noted that the Profile Script may no longer be necessary because the IT-RMP\nis used for all financial institutions, regardless of a financial institution\xe2\x80\x99s risk category\n(Type I & II, III, or IV), thus the tool is not needed for establishing the examination work\nprogram. In regard to using the Profile Script to assess examination staffing requirements\nwith the current scoring system, some examination personnel believed that a wide range\nof financial institutions fall into the Type III category and that some Type III banks may\nnot need an experienced IT examiner to conduct the IT examination. One DSC official\nsaid that the Profile Script is useful, but added that it should be updated to reflect risks\nrelated to institutions that offer credit-card processing or utilize FedLine Advantage.5\nAnother DSC official stated that the Profile Script focuses on technology, and the training\nidentified in the IT Examination Resource Strategy Matrix (Appendix III) is technology-\nfocused; however, IT-RMP is management-focused.\n\nMost of the information in the Profile Script is also reflected in the Officer\xe2\x80\x99s\nQuestionnaire and Work Program. For example, three of the four categories in the\nProfile Script \xe2\x80\x93 Core Processing, Networking, and E-Banking \xe2\x80\x93 are addressed in the\nPart 2 \xe2\x80\x93 Operations Security and Risk Management section of the Officer\xe2\x80\x99s\nQuestionnaire. The FDIC could consider using the information in the Officer\xe2\x80\x99s\nQuestionnaire for IT examination scoping and staffing decisions rather than continuing to\nrequire that examination personnel complete the Profile Script. A DSC official estimated\nthat examination personnel spend 1 hour preparing the Profile Script, which would equate\nto about 757 hours that could have been expended for the IT examinations started and\ncompleted for the first 6 months of 2006.6\n\nDSC should either clarify the new purpose and use of the Profile Script in the IT-RMP or\nreevaluate the need for continued use of the Profile Script. Since DSC currently relies\non Profile Script information to determine examination staffing, clarifying the tool\xe2\x80\x99s\nintended purpose and utilization in the IT-RMP could increase the FDIC\xe2\x80\x99s assurance that\nIT examiner skills and experience are commensurate with the risks associated with a\nparticular institution. However, given that similar information is already reflected in the\nOfficer\xe2\x80\x99s Questionnaire, DSC may be in a position to eliminate preparation of the Profile\nScript. Finally, re-evaluating the utility of the Profile Script as a scoping and staffing tool\ncould result in time-saving opportunities for IT-RMP examinations.\n\n\n\n\n5\n  FedLine Advantage is the Federal Reserve Bank\xe2\x80\x99s electronic delivery channel, which uses Web\ntechnologies to provide financial institutions access to critical payment systems, including Fedwire Funds\nService, Fedwire Securities Service, and FedACH (Automated Clearing House).\n6\n  These results comprise all DSC IT examinations started and completed during the period January 1, 2006\nto June 20, 2006 for which a Profile Script had been entered into the Virtual Supervisory Information On\nthe Net (ViSION) system, based on data collected from ViSION on June 21, 2006.\n\n\n                                                    7\n\x0cIT Examination Officer\xe2\x80\x99s Questionnaire (Officer\xe2\x80\x99s Questionnaire)\n\nDSC could enhance the Officer\xe2\x80\x99s Questionnaire by including additional information\nsecurity risks for IT examiners\xe2\x80\x99 assessments. The Officer\xe2\x80\x99s Questionnaire is an integral\ncomponent of the IT-RMP and, when completed, serves as the financial institution\xe2\x80\x99s self-\nassessment of its information security program. The Officer\xe2\x80\x99s Questionnaire contains 85\nquestions for the financial institution to answer in the IT-RMP\xe2\x80\x99s key areas: (1) risk\nassessment; (2) operations security and risk management; (3) audit and independent\nreview; (4) disaster recovery and business continuity; and (5) compliance with Part 364,\nAppendix B, of the FDIC\xe2\x80\x99s Rules and Regulations.\n\nThe Officer\xe2\x80\x99s Questionnaire includes most, but not all, of the relevant information\nsecurity requirements contained in the FFIEC\xe2\x80\x99s Information Security Booklet. We\ncompared the IT-RMP guidance with the Information Security Booklet and identified\ncertain areas for which the Officer\xe2\x80\x99s Questionnaire coverage could be more complete, as\nfollows:\n\nIdentification of vulnerabilities as part of the risk assessment process: The\nInformation Security Booklet states that financial institutions should assess potential\nthreats and vulnerabilities of their information systems. Vulnerabilities can be\ncharacterized as weaknesses in a system, or control gaps, that, if exploited, could result in\nthe unauthorized disclosure, misuse, alteration, or destruction of information or\ninformation systems. The Officer\xe2\x80\x99s Questionnaire does not specifically require that the\nfinancial institution official provide information on vulnerabilities identified as part of the\ninstitution\xe2\x80\x99s risk assessment process. The Officer\xe2\x80\x99s Questionnaire requires only a \xe2\x80\x9cyes\xe2\x80\x9d\nor \xe2\x80\x9cno\xe2\x80\x9d response on whether vulnerability testing had been performed on internal systems\nand the date and by whom the testing had been performed but not the results of the\nvulnerability testing.\n\nBenchmarks and security performance metrics for the information security\nprogram: The Information Security Booklet provides that performance metrics can be\nused to measure security policy implementation, the effectiveness and efficiency of\nsecurity services delivery, and the impact of security events on business processes. The\nmeasurement of security characteristics can allow management to increase control and\ndrive improvements to the security process. The Officer\xe2\x80\x99s Questionnaire does not\naddress the financial institution\xe2\x80\x99s establishment or monitoring of security performance\nmetrics and benchmarks.\n\nAccess controls over customer information systems: The Information Security Booklet\nstates that the goal of access control is to allow access by authorized individuals7 and\ndevices8 and to disallow access to all others. The booklet also states that financial\n\n7\n  Authorized individuals may be institution and TSP employees, vendors, contractors, customers, or\nvisitors. Access should be authorized and provided only to individuals whose identity is established, and\ntheir activities should be limited to the minimum required for business purposes.\n8\n  Authorized devices are those whose placement on the network is approved in accordance with institution\npolicy.\n\n\n                                                    8\n\x0cinstitutions should have an effective process to administer access rights. The Officer\xe2\x80\x99s\nQuestionnaire does not address certain aspects of access controls over customer\ninformation systems, such as: developing security strategies to limit unauthorized access\nand the ability to perform unauthorized actions; implementing least privilege concepts to\nrestrict access to those with proper authorization; and establishing multiple control points\nbetween threats and organization assets by layering controls.\n\nEncryption of electronic customer information: The Information Security Booklet\nstates that financial institutions should use effective authentication methods to include\nencrypting the transmission and storage of authenticators, such as passwords, personal\nidentification numbers, and digital certificates. The Officer\xe2\x80\x99s Questionnaire has no\nquestions related to encryption.\n\nInsurance coverage: The Information Security Booklet states that financial institutions\nshould carefully evaluate the extent and availability of insurance coverage in relation to\nthe specific IT risks that institutions are seeking to mitigate. Insurance may include\ncoverage for the following risks \xe2\x80\x93 vandalism of financial institution Web sites; computer\nextortion associated with threats of attack or disclosure of data; theft of confidential\ninformation; destruction or manipulation of data (including viruses); and insiders who\nexceed system authorization. The Officer\xe2\x80\x99s Questionnaire has no questions related to\ninsurance. However, DSC officials stated that questions related to insurance may already\nbe addressed through safety and soundness examinations.\n\nPersonnel security: The Information Security Booklet states that financial institutions\nshould mitigate the risks posed by internal users of bank data by: (1) performing\nappropriate background checks and screening of new employees; (2) obtaining\nagreements covering confidentiality, nondisclosure, and authorized use; (3) using job\ndescriptions, employment agreements, and training to increase accountability for\nsecurity; and (4) providing training to support awareness and policy compliance. DSC\nofficials pointed out that two questions addressed personnel security controls: (1) Do you\nhave an employee acceptable use policy (Y/N)?, and (2) Do you have an employee\nsecurity awareness training program (Y/N)? However, we noted that the Officer\xe2\x80\x99s\nQuestionnaire does not address certain personnel security areas such as background\nchecks and confidentiality agreements for key individuals holding positions critical to the\nimplementation and oversight of the institution\xe2\x80\x99s information security program.\n\nSenior DSC officials responsible for the IT-RMP told us that the program has been in\nplace for 1 year and is ready for review and revisions, as necessary. DSC plans to obtain\ninput and suggestions for improvements to the IT-RMP from IT Assistant Regional\nDirectors\xe2\x80\x99 quarterly meetings, the division\xe2\x80\x99s internal review reports, IT examiners, and\nOIG reviews.\n\nYes/No Format of Officer\xe2\x80\x99s Questionnaire: DSC should also consider rephrasing the\nquestions in the Officer\xe2\x80\x99s Questionnaire to improve the IT-RMP and related examination\nprocedures. Specifically, the \xe2\x80\x9cyes/no\xe2\x80\x9d format design of some questions in the\nQuestionnaire does not always provide IT examiners meaningful information on which to\n\n\n\n                                             9\n\x0cbase risk-focused examination procedures or prompt the financial institution to provide\ndetailed information in the response. Several of the questions were designed to determine\nnot only whether a policy or procedure existed, but also whether that policy or procedure\nwas compliant or consistent with established criteria. For example, one question asks\n\xe2\x80\x9cDoes the scope of your risk assessment include an analysis of internal and external\nthreats to confidential customer and consumer information as described in Part 364,\nAppendix B, of the FDIC\xe2\x80\x99s Rules and Regulations (Y/N)?\xe2\x80\x9d Such a question is designed\nto obtain information related to the adequacy or completeness of a control or requirement.\nIT examiners could obtain more meaningful information during examination planning if\ncertain questions were rephrased to address an institution\xe2\x80\x99s compliance or consistency\nwith specific regulations and guidance as shown below.\n\n   Current Question: \xe2\x80\x9cDo you have an anti-spyware management program to protect end-user\n   systems (Y/N)?\xe2\x80\x9d\n\n   OIG-Proposed Question: Describe the institution\xe2\x80\x99s policies, procedures, and practices for\n   preventing and detecting spyware on computer systems consistent with the FDIC\xe2\x80\x99s FIL-66-\n   2005, Guidance on Mitigating Risks from Spyware, dated July 22, 2005. Spyware is a\n   commonly-used term to describe software that collects data without the prior knowledge or\n   informed consent of the data\xe2\x80\x99s owner.\n\n   Current Question: \xe2\x80\x9cDo you have policies/procedures for the proper disposal of information\n   assets (Y/N)?\xe2\x80\x9d\n\n   OIG-Proposed Question: Describe the institution\xe2\x80\x99s policies, procedures, and practices for\n   disposing of information assets consistent with the Interagency Guidelines Establishing\n   Information Security Standards.\n\n\nIT Snapshot Work Program (Work Program)\n\nRDM 2005-031 directs examiners to use the Officer\xe2\x80\x99s Questionnaire as a risk analysis\nand scoping tool for quickly identifying potential security program strengths and\nweaknesses. The memorandum states that examiners should always evaluate all\nresponses to the Officer\xe2\x80\x99s Questionnaire in the context of effective IT risk management,\nkeeping in mind the potential severity, impact, and relationship of any \xe2\x80\x9cNo\xe2\x80\x9d or blank\nresponse to other responses in the same and other risk management categories, and\npaying particular attention to responses that could affect the quality of the entire\ninformation security program. Examiners may choose not to document \xe2\x80\x9cNo\xe2\x80\x9d or blank\nresponses, provided the reason(s) for the scope adjustment or modification is documented\nin the Summary Analysis (discussed in the next section of this report).\n\nRDM 2005-031 does not specifically require examiners to evaluate \xe2\x80\x9cYes\xe2\x80\x9d responses.\nRather, the guidance identifies the \xe2\x80\x9cNo\xe2\x80\x9d responses as potential \xe2\x80\x9cred flag indicators\xe2\x80\x9d and\ndescribes \xe2\x80\x9cYes\xe2\x80\x9d responses as being equally important when evaluating the adequacy and\neffectiveness of a financial institution\xe2\x80\x99s information security program. Examiners we\ninterviewed indicated that bankers have an inferred bias toward answering \xe2\x80\x9cYes\xe2\x80\x9d to\n\n\n\n                                              10\n\x0cquestions on the Officer\xe2\x80\x99s Questionnaire because they know that the \xe2\x80\x9cNo\xe2\x80\x9d answers could\nbe construed as an indication of a problem.\n\nFor all 12 IT examinations we reviewed, the examiners followed up on selected \xe2\x80\x9cYes\xe2\x80\x9d\nresponses from the Officer\xe2\x80\x99s Questionnaire. However, for all 12 examinations reviewed,\nwe could not determine why certain \xe2\x80\x9cYes\xe2\x80\x9d responses had been selected for additional\nprocedures, because examiners did not discuss the reason why in the examination scope.\nFurther, for 6 of the 12 examinations, we could not determine which procedures had been\ncompleted to follow up on certain \xe2\x80\x9cYes\xe2\x80\x9d responses, because examiners did not identify\nthese procedures in the Work Program comments or discuss them in the examination\nscope.\n\nIn making changes to the IT-RMP, DSC should consider revising RDM 2005-031 to\ninclude a provision that examiners evaluate, based on identified risks, a sample of \xe2\x80\x9cYes\xe2\x80\x9d\nresponses contained in the Officer\xe2\x80\x99s Questionnaire. Requiring validation of selected\n\xe2\x80\x9cYes\xe2\x80\x9d responses during the onsite discussion and verification phase of the examination\nwould provide the FDIC with additional assurance as to the adequacy of the financial\ninstitution\xe2\x80\x99s information security program. Also, this action could further assure the\nFDIC that the institution official completing the questionnaire was informed and\nknowledgeable about the information security program. Follow-up activity on IT areas\nconsidered higher risk or selected \xe2\x80\x9cyes\xe2\x80\x9d responses related to specifically-identified IT\nsecurity risks would be consistent with the risk-focused approach of the IT-RMP\nexamination procedures.\n\nIT Summary Analysis (Summary Analysis)\n\nDSC could clarify its expectations of what information examiners should document in the\nSummary Analysis. The Summary Analysis has two primary purposes: (1) scope\ndevelopment that includes preparing a preliminary institution risk profile from historical\ninformation and information gathered with other risk scoping tools, such as the Profile\nScript and the Officer\xe2\x80\x99s Questionnaire, and (2) report preparation that begins with\ndocumenting the IT examination findings in the Summary Analysis. IT-RMP\nexamination procedures make the following references to an institution\xe2\x80\x99s risk profile:\n\n\xe2\x80\xa2   The completed Profile Script, Officer\xe2\x80\x99s Questionnaire, and other pre-examination\n    information should help examiners gain an understanding of bank operations and\n    supporting infrastructure. The goal of this process is to develop a preliminary\n    institution risk profile based on historical and other information obtained during the\n    preplanning phase.\n\xe2\x80\xa2   An institution\xe2\x80\x99s risk profile should consider risk management, technical, and other\n    components.\n\xe2\x80\xa2   After completing the scoping process, examiners should have a reasonable\n    understanding of the institution\xe2\x80\x99s risk profile and, therefore, have a tentative list of\n    items to be reviewed during the onsite examination.\n\n\n\n\n                                             11\n\x0cAlthough RDM 2005-031 requires that examiners develop a preliminary institution risk\nprofile as part of completing the Summary Analysis, the memorandum does not\nspecifically require that examiners document the risk profile. Further, RDM 2005-031\ndoes not clearly identify what information should be\n                                                         Minimum IT-RMP Exam Procedures\nincluded in a risk profile.\n                                                                \xe2\x80\xa2 Site security inspection\n                                                                \xe2\x80\xa2 Risk assessment review\nRDM 2005-031 states that for initial examinations               \xe2\x80\xa2 Audit/independent review\nunder the IT-RMP, the examination scope will                    \xe2\x80\xa2 Part 364 review\ninclude, at a minimum, the procedures shown here.               \xe2\x80\xa2 Onsite discussion or verification of\nIT examiners are instructed to document the pre-                  all \xe2\x80\x9cN,\xe2\x80\x9d blank, \xe2\x80\x9cN/A,\xe2\x80\x9d and \xe2\x80\x9cNone\xe2\x80\x9d\nplanned examination scope under the \xe2\x80\x9cInitial                      responses\n                                                                \xe2\x80\xa2 ACH and wire transfer review\nExamination Scope\xe2\x80\x9d heading of the Summary\nAnalysis and scope changes that occur during the             Source: RDM 2005-031.\nexamination in the \xe2\x80\x9cFinal Examination Scope\xe2\x80\x9d\nsection of this tool.\n\nWe reviewed the Summary Analysis document for each of the 12 sampled IT\nexaminations to determine the IT security risks that examiners had identified for the\nfinancial institutions. For our analysis, we used information from DSC\xe2\x80\x99s IT-RMP\ntraining presentations and three case studies to determine what type of information should\nbe included in a risk profile. We identified the following key scoping elements in the\nSummary Analysis section that could be used to present an institution\xe2\x80\x99s risk profile.\n\nScoping Elements Related to Risk Profiling\n    Summary Analysis Section                              Key Scoping Elements\nPre-Examination Information        -- Service Providers and Technologies Used.\n                                   -- Services and Products Offered.\n                                   -- Bank Ownership and Structure.\n                                   -- Prior Examination Results, Ratings, and Status of Findings.\n                                   -- Changes in Technologies, Personnel, Products, Services,\n                                      Auditors, and Service Providers.\n                                   -- Enforcement Actions Outstanding.\n                                   -- Other Risks Identified Through Officer\xe2\x80\x99s Questionnaire\n                                      Responses.\nInitial Examination Scope          -- IT-RMP Minimum (Mandatory) Procedures for Baseline Scope.\nComments                           -- Pre-examination Information Items for\n                                      Initial Discussions with Management and\n                                      Direction for Onsite Work.\nFinal Examination Scope Comments -- Changes in Risk and Testing Based on Results\n(if different from initial scope)     of Executing Initial Examination Scope.\nSource: IT-RMP Train-the-Trainer Course Materials.\n\nThe Summary Analysis for all 12 IT examinations we reviewed contained certain\nelements of an institution risk profile shown in the table above; however, these elements\nwere not consistently captured for each examination. With respect to IT-RMP minimum\nprocedures, we found that the examiners did not identify all of the minimum-required\nprocedures in the Summary Analysis scope comments for 5 of the 12 examinations that\nwe reviewed. However, in all five instances, examination working papers indicated that\nthe minimum procedures had been performed.\n\n\n                                                12\n\x0cThe risk profile is an important tool that can help an examiner in assessing a financial\ninstitution\xe2\x80\x99s IT security risk management program and directing examiner resources\ntoward examining areas in the financial institution with higher degrees of risk. Senior\nDSC officials responsible for the IT-RMP agreed that examiners should document the\ninstitution\xe2\x80\x99s risk profile and the examination procedures planned and performed to\naddress identified risks. Doing so would provide greater assurance that the IT\nexamination procedures are risk-focused and prioritized and reflect the most effective use\nof examiner resources. Moreover, a well-documented risk profile could serve as a\nbaseline for determining IT changes to an institution\xe2\x80\x99s technology environment during\nfuture IT examinations.\n\nRECOMMENDATIONS\n\nWe recommend that the Director, DSC:\n\n1. Modify the IT-RMP guidance to clarify the purpose and use of the Technology\n   Profile Script as distinguished from its previous utilization under the IT-MERIT\n   program, or reevaluate the costs and benefits of the continued use of this tool.\n\n2. Modify the IT Examination Officer\xe2\x80\x99s Questionnaire and IT Snapshot Work Program\n   to provide for enhanced coverage of the following:\n  \xe2\x80\xa2 Identification of vulnerabilities as part of the risk assessment process.\n  \xe2\x80\xa2 Establishment of benchmarks and performance metrics for the information security\n      program.\n  \xe2\x80\xa2 Access controls for customer information systems.\n  \xe2\x80\xa2 Encryption of electronic customer information.\n  \xe2\x80\xa2 Insurance coverage.\n  \xe2\x80\xa2 Personnel security.\n\n3. Modify IT-RMP guidance to (a) replace some \xe2\x80\x9cyes/no\xe2\x80\x9d questions in the Officer\xe2\x80\x99s\n   Questionnaire with more descriptive questions that will facilitate risk analysis and\n   scoping IT examinations and (b) require that examiners evaluate, based on identified\n   risks, a sample of positive responses to the questions in the Officer\xe2\x80\x99s Questionnaire to\n   ensure their accuracy.\n\n4. Modify IT-RMP guidance to clarify (a) what information should be included in an\n   institution\xe2\x80\x99s risk profile and (b) the extent to which examiners should document the\n   risk profile and corresponding procedures planned and performed to address\n   identified risks.\n\n\n\n\n                                            13\n\x0cIT COMPOSITE SCORING\n\nFor the 12 IT examinations we sampled, examiners had employed different\nmethodologies when assigning an IT composite rating.9 Presently, RDM 2005-031 and\nexaminer training provide high-level guidance on the assignment of IT composite ratings\nused to classify IT examination results rather than detailed guidelines on developing the\nratings. DSC could enhance IT-RMP guidance to provide for a clearer correlation\nbetween the IT composite rating definitions and the results of IT examination procedures\nperformed in the Work Program. Additional guidance could increase the FDIC\xe2\x80\x99s\nassurance that IT composite ratings assigned to financial institutions consistently reflect\nthe information security environment of the financial institutions examined.\nComparability of IT composite rating data also improves DSC\xe2\x80\x99s ability to use that data\nfor trend analysis and performance measurement purposes.\n\nThe URSIT stipulates that a direct relationship exists between the composite rating and\nthe individual Audit, Management, Development and Acquisition, and Support and\nDelivery (AMDS) component performance ratings but adds that the composite rating is\nnot a mathematical average of the individual components, and examiner judgment is used\nto weigh the relative risk of the examination results for each component. Accordingly, a\npoor rating in one component may influence the overall composite rating for an\ninstitution. For example, if the audit function of a financial institution is viewed as\ninadequate, the overall integrity of the IT systems is not readily verifiable. The URSIT\nsuggests in this case that a composite rating of less than satisfactory (\xe2\x80\x9c3,\xe2\x80\x9d \xe2\x80\x9c4,\xe2\x80\x9d or \xe2\x80\x9c5\xe2\x80\x9d)\nwould normally be appropriate.\n\nAccording to the URSIT, a principal purpose of the composite rating is to identify those\nfinancial institutions and service providers that pose an inordinate amount of IT risk and\nwarrant special supervisory attention. Thus, individual risk exposures that more\nexplicitly affect the viability of the organization and/or its customers should be given\nmore weight in the composite rating. In determining a composite rating, an examiner\nalso considers assessment factors such as (1) the significance of existing IT weaknesses,\n(2) the adequacy of risk management practices, and (3) the sufficiency of strategic\nplanning. The URSIT rating definitions provide descriptive examples for each of the \xe2\x80\x9c1\xe2\x80\x9d\nto \xe2\x80\x9c5\xe2\x80\x9d composite ratings. For example, a composite \xe2\x80\x9c1\xe2\x80\x9d definition states that the\nfinancial institution has strong performance in every respect; generally has components\nrated \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2\xe2\x80\x9d; and exhibits (a) minor IT weaknesses, (b) risk management processes\nthat provide a comprehensive program to identify and monitor risk, (c) well-defined\nstrategic plans, (d) prompt management identification of weaknesses, and (e) the strong\nfinancial condition and performance of the service provider. Appendix IV contains the\nFFIEC URSIT composite ratings definitions.\n\n\n9\n  The composite ratings are assigned on a scale of \xe2\x80\x9c1\xe2\x80\x9d to \xe2\x80\x9c5.\xe2\x80\x9d A rating of \xe2\x80\x9c1\xe2\x80\x9d indicates the strongest\nperformance and management practices and the least degree of supervisory concern, while a rating of \xe2\x80\x9d5\xe2\x80\x9d\nindicates the weakest performance and management practices and, therefore, the highest degree of\nsupervisory concern.\n\n\n\n                                                   14\n\x0cUnder the IT-RMP, DSC eliminated the assignment of IT component ratings but elected\nto retain the use of the URSIT rating definitions for assigning an IT composite rating to a\nfinancial institution.10 Specifically, RDM 2005-031 provides that (1) the examiner will\nassign a composite rating at the conclusion of the examination using the URSIT rating\ndefinitions, and (2) the assigned composite rating will reflect the effectiveness of a\nfinancial institution\xe2\x80\x99s IT risk management practices and the completeness of its\ninformation security program as documented in the Work Program. However, according\nto RDM 2005-031, while risk management is the focus of the IT-RMP, coverage of\nexisting URSIT component ratings is preserved. DSC is still required to develop the\ncomponent ratings during certain IT examinations.\n\nIT Composite Ratings Definitions and Development\n\nExaminers who conducted the 12 IT examinations in our sample used different\napproaches to develop the IT composite rating. Examiners for 8 of the 12 examinations\nwe reviewed indicated that they had used the URSIT component methodology for\ndeveloping the composite ratings. Examiners for the remaining four examinations\nindicated they had used a less structured method. For example, in one case, the rating\ndecision was based on the significance of the findings identified.\n\nDSC could clarify RDM 2005-031 guidance that states \xe2\x80\x9ccoverage of existing FFIEC\ncomponent ratings is preserved.\xe2\x80\x9d It is not clear whether this statement requires the\nexaminer to develop a ratings analysis using the URSIT component methodology or\nwhether it is a general comment on information that could be considered by the examiner.\nAlthough the IT General Work Program is aligned to the four IT component rating\ncategories, examiners are not required to complete this work program under the IT-RMP.\nIn addition, RDM 2005-031 could more clearly explain the correlation between IT\nexamination procedures and the assessment factors in the URSIT composite rating\ndefinitions. To illustrate, the Snapshot Work Program has only one general procedure\nthat directly references strategic planning. However, strategic planning is specifically\naddressed as a key element in the URSIT composite rating definitions. Additional\nguidance on other IT-RMP procedures that relate to the strategic planning analysis could\nhelp ensure that this element (strategic planning) is consistently evaluated.\n\nConsistency in developing IT composite ratings could enhance DSC\xe2\x80\x99s ability to use the\nresults of its examinations activities for trend analysis or performance measurement\npurposes. The following figure identifies the IT composite rating results for FDIC IT\nexaminations performed during the first half of 2006.\n\n\n\n\n10\n     IT component ratings will continue to be developed for examinations of TSPs.\n\n\n                                                     15\n\x0cComposite Ratings for FDIC IT Examinations Conducted in the First Half of 2006\n\n\n                             Relative Ratings of 2006 IT-RMP Examinations\n\n                      100%      5%        6%            8%                                      2%\n                                                                    15%           10%\n\n                      80%\n                                                                                                              3\n       Examinations\n\n\n\n\n                                                        63%                                    78%\n                      60%      77%       77%                                      70%                         2\n          % of\n\n\n\n\n                                                                    70%\n                                                                                                              1\n                      40%\n\n\n                      20%                               29%\n                               18%       18%                        15%           20%          19%\n                       0%\n                               Atlanta   Chicago     Dallas       Kansas City New York        San Francisco\n\n                                                        DSC REGIONS\n\nSource: OIG review of ViSION data.\nNote: The data in the figure comprise all DSC IT examinations started and completed during the period\nJanuary 1, 2006 to June 19, 2006.\n\nAs shown, there are differences in the percentages of institutions rated \xe2\x80\x9c1,\xe2\x80\x9d \xe2\x80\x9c2,\xe2\x80\x9d or \xe2\x80\x9c3\xe2\x80\x9d\namong the regions. This information could be important to DSC in analyzing trends and\nassessing IT risks. However, for such information to be useful, it is important to ensure\nthat composite rating determinations are consistently developed among examiners. It\nshould be noted that other factors may be causing or contributing to the differences noted\nin the figure above, including variations in the population of financial institutions\nsupervised by each region.\n\nMoreover, the figure shows that the majority of financial institutions were assigned an IT\ncomposite rating of \xe2\x80\x9c2.\xe2\x80\x9d The URSIT definition indicates that a financial institution with\na \xe2\x80\x9c2\xe2\x80\x9d rating exhibits safe and sound performance but may demonstrate modest\nweaknesses in operating performance, monitoring, management processes, or system\ndevelopment. ROEs for banks in our sample with an IT composite rating of \xe2\x80\x9c2\xe2\x80\x9d referred\nto the bank\xe2\x80\x99s IT program as \xe2\x80\x9cadequate\xe2\x80\x9d or \xe2\x80\x9csatisfactory.\xe2\x80\x9d Given the level of assurance\nconveyed for the bank\xe2\x80\x99s risk management and security processes by a \xe2\x80\x9c2\xe2\x80\x9d rating, it is\nimportant that the process for developing this rating be clearly defined and consistently\nimplemented.\n\n\n\n\n                                                   16\n\x0cIT Rating Documentation\n\nRDM 2005-031 and IT-RMP training presentations we reviewed do not address whether\nthe IT composite ratings analysis should be documented in the examination workpapers\nto show how the examiners (1) considered the assessment factors in the URSIT\ncomposite rating definitions or (2) weighted various examination findings in the\ndevelopment of the composite rating. None of the examination workpapers for the 12\nsampled examinations clearly documented how the composite rating had been\ndetermined. Examiners are no longer required to assign URSIT component ratings,\nwhich, in part, provide a standard means by which examiners can support how they\ndeveloped a composite rating. Absent such a requirement, it is important that examiners\nfollow a consistent, documented approach in making composite rating determinations.\n\nRECOMMENDATION\n\nWe recommend that the Director, DSC:\n\n5. Develop additional IT-RMP guidance to provide a consistent approach to developing\n   and documenting a financial institution\xe2\x80\x99s IT composite rating analysis. Guidance\n   should clearly describe the correlation between the IT-RMP examination procedures\n   and results and the FFIEC URSIT composite ratings definitions.\n\nEXAMINER IT TRAINING\n\nDSC is in the process of incorporating some of the elements of the IT-RMP into\nexaminer training courses, but the current training program could be better aligned to the\ntop-down, risk-focused objective of the IT-RMP. Additionally, the current IT examiner\ntraining program could be expanded to provide non-IT examiners who are assigned to\nconduct IT examinations with the opportunity for periodic on-the-job training at financial\ninstitutions. These training program improvements would provide the FDIC with greater\nassurance that IT examiners are well-prepared to effectively conduct IT examinations.\n\nAlignment of IT-RMP Training\n\nThe IT examiner training program is primarily focused on technical subjects,11 yet the IT-\nRMP approach places considerable emphasis on bank management, information security\nprogram content, and confirmation and assurances through audit or independent review.\nDSC provides examiner IT training through formal classroom and online training and a\nformal IT-OJT program for IT specialty examiners. RDM 2005-031 includes an IT\nExamination Resource Strategy Matrix, which recommends examiner skills and training\nrequired for the particular category, or type, of financial institution determined by the\nProfile Script. The matrix is included in Appendix III of this report. DSC used the same\n\n\n11\n  Examples of technical subjects include the IT examiner conference, transmission control\nprotocol/Internet protocol, operating system platforms, firewalls, intrusion detection system, and virtual\nprivate network.\n\n\n                                                     17\n\x0cmatrix under the previous IT-MERIT program but has not revised the matrix to reflect the\nnew management-centric approach of the IT-RMP.\n\nDSC\xe2\x80\x99s examiner IT training curriculum could be strengthened by including specific\ncourses that address business risk in an IT environment and prepare the examiner to:\n\n\xe2\x80\xa2     identify and assess risk management deficiencies in a financial institution\xe2\x80\x99s\n      information security program,\n\xe2\x80\xa2     prepare a written risk profile of a financial institution, and\n\xe2\x80\xa2     prepare the IT examination scope that is justified by the institution\xe2\x80\x99s risk profile.\n\nWith a training curriculum aligned to the objective of IT-RMP, examiners conducting IT\nexaminations would be better prepared to risk-focus the examination to the identified\nbusiness risks of the financial institution, rather than just the technical risks. In turn, the\nFDIC would have greater assurance that the examination procedures conducted\nthoroughly cover the management of a financial institution\xe2\x80\x99s information security\nprogram. DSC has initiated training in audit, business continuity, and risk assessment\nand indicated that examiners have been requesting additional management-focused\ntraining.\n\nIT On-the-Job Training (IT-OJT) for Non-IT Examiners\n\nDSC needs to consider expanding its IT-OJT program to provide DSC examiners with\nmore periodic exposure to financial institution IT environments. The IT-OJT program\nand many of the IT training courses are geared to more experienced IT specialty\nexaminers. However, commissioned examiners who are not designated IT specialty\nexaminers may also conduct IT examinations, thus these examiners could benefit from\nthe IT-OJT program.\n\nCommissioned DSC examiners submit applications to participate in the IT-OJT. This\nprogram prepares safety and soundness examiners to conduct IT examinations of more\ntechnologically-complex institutions. DSC assigns the less technologically complex\nfinancial institutions having a lower risk profile to non-IT examiners who may have\ncompleted certain basic IT training. DSC has stated that a positive attribute of IT-RMP is\nthat safety and soundness examiners would be competent to conduct IT examinations at\nfinancial institutions that fall into the Type I & II category, once these examiners have\ncompleted the requisite basic IT training. However, 16 of the 45 regional and field office\npersonnel we interviewed expressed concern that less-experienced examiners conducting\nIT examinations may not always know when to ask specific questions in order to \xe2\x80\x9cdrill\ndown\xe2\x80\x9d from summary information to more detailed data that is needed to adequately\nassess an institution\xe2\x80\x99s information security program.\n\nMoreover, some questions in the Officer\xe2\x80\x99s Questionnaire require the examiner to possess\nan in-depth understanding of core processing, networks, and telecommunications. For\nexample, Part 2.f, Operations Security and Risk Management, of the Officer\xe2\x80\x99s\nQuestionnaire and Work Program, asks, \xe2\x80\x9cDo you have formal configuration, change\n\n\n                                               18\n\x0cmanagement, and patch management procedures for all applicable platforms identified?\xe2\x80\x9d\nPart 3.d, Audit/Independent Review Program, asks, \xe2\x80\x9cDoes audit coverage include a\ncomparison of actual system configurations to documented/baseline configuration\nstandards?\xe2\x80\x9d These two questions require the examiner to understand formal\nconfiguration standards, policies, and procedures for identified platforms and to\nunderstand the audit coverage for system configurations. Without this level of\nunderstanding, the examiner would not be able to determine whether the configuration\nmanagement procedures and audit program are adequate.\n\nIn the area of IT-RMP training, DSC: (1) provided an overview briefing to IT examiners\nin August 2005; (2) presented to certain specialty IT examiners an introduction to the IT-\nRMP \xe2\x80\x9ctrain-the-trainer\xe2\x80\x9d course in December 2005 through February 2006; and\n(3) awarded a contract to amend examiner course content and develop a course focused\non risk assessments, business continuity, and audit. IT-RMP program implementation\npreceded the training by several months, and in certain cases, the risk-focused course\nofferings have been scheduled only for future dates.\n\nDSC examiners we interviewed consistently identified the need to get examiners into the\nIT-OJT program. We estimated that 97 percent (733 of 757) of the financial institutions\nexamined during the first half of 2006 use networks in their operations.12 This illustrates\na need for a larger and specialized cadre of examiners capable of (1) conducting all\nlevels of IT examinations, and (2) coaching and training participants in the IT-OJT\nprogram.\n\nAlthough DSC has made some progress in aligning the examiner training program to the\nobjective of the IT-RMP, with additional enhancements to the IT training program, the\nFDIC would have greater assurance that examiners are sufficiently prepared to conduct\neffective IT examinations.\n\nRECOMMENDATIONS\n\nWe recommend that the Director, DSC:\n\n6. Revise DSC examiner training for conducting IT examinations to align with the\n   objective of the IT-RMP.\n\n7. Initiate efforts to increase the number of non-IT examiners who participate in IT-OJT\n   examination training to increase DSC\xe2\x80\x99s overall capability to conduct IT examinations.\n\n\n\n\n12\n  These results comprise all DSC IT examinations started and completed during the period January 1, 2006\nto June 20, 2006 for which a Technology Profile Script had been entered into ViSION, based on data\ncollected from ViSION on June 21, 2006.\n\n\n                                                  19\n\x0c             CORPORATION COMMENTS AND OIG EVALUATION\n\nOn January 4, 2007, the Director, DSC, provided a written response, dated\nDecember 12, 2006, to a draft of this report. DSC\xe2\x80\x99s response is presented in its entirety\nas Appendix V to this report. DSC generally agreed with our recommendations, noting\nthat it has plans to evaluate the first-year implementation of the August 2005 revision of\nthe IT-RMP. With regard to the IT-RMP tools and guidance, DSC will incorporate OIG\nrecommendations into its evaluation and issue revised guidance as deemed necessary.\nWith regard to DSC\xe2\x80\x99s IT training programs, DSC will review its training processes and\ndetermine whether enhancements are needed. DSC plans to complete these actions by\nSeptember 30, 2007.\n\nDSC\xe2\x80\x99s actions are responsive to our recommendations. A summary of management\xe2\x80\x99s\nresponse to the recommendations is in Appendix V. The recommendations are resolved\nbut will remain open until we have determined the agreed-to corrective actions have been\ncompleted and are effective.\n\n\n\n\n                                            20\n\x0c                                                                                  APPENDIX I\n\n\n                    OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nThe objective of this audit was to determine whether the FDIC had established and\nimplemented adequate procedures for addressing IT security risks at FDIC-supervised\nfinancial institutions that offer electronic banking products and services. We conducted\nour audit in accordance with generally accepted government auditing standards during\nthe period December 2005 through September 2006.\n\nScope and Methodology\n\nThe scope of the audit focused on assessing the guidance and procedures that supported\nthe implementation of the top-down, risk-focused objective of the IT-RMP for IT\nexaminations of FDIC-supervised institutions. We performed the following:\n\n\xe2\x80\xa2   Evaluated the IT-RMP procedures for assessing IT security risks and examining IT\n    security programs, detailed in RDM 2005-031, Information Technology-Risk\n    Management Program (IT-RMP), for consistency with applicable laws, regulations,\n    and other guidelines related to IT security. Other guidelines included the FFIEC\xe2\x80\x99s\n    Information Security Booklet (December 2002 and July 2006 revisions), 1 of 12\n    booklets, that, in total, comprise the FFIEC Information Technology (IT)\n    Examination Handbook.\n\xe2\x80\xa2   Interviewed DSC personnel responsible for development and oversight of the IT-\n    RMP and the subsequent training on the IT-RMP.\n\xe2\x80\xa2   Interviewed DSC personnel involved with DSC activities related to monitoring new\n    and emerging technologies.\n\xe2\x80\xa2   Interviewed other regional DSC personnel involved with the IT-RMP\n    implementation, including DSC IT Assistant Regional Directors and IT Examination\n    Specialists.\n\xe2\x80\xa2   Reviewed the management information system reports used by the FDIC in its self-\n    assessment of the IT examination program.\n\nWe selected a judgmental sample of 12 examinations from a total of 292 examinations\nconducted during the period January 2006 through March 2006, consisting of 4\nexaminations conducted in the New York Region, 4 in the San Francisco Region, and 4\nin the Kansas City Region. To select our sample, we performed the following.\n\n\xe2\x80\xa2   Stratified the population of examinations conducted during our period of review by\n    the following areas: (1) the existence of a transactional Web site within the financial\n    institution, (2) DSC region, (3) TPS risk type, (4) URSIT composite rating, (5) total\n    Profile Script score (a measure of complexity and thus risk), and (6) institution asset size\n    as of December 31, 2005.\n\xe2\x80\xa2   Considered transactional Web capability and a high-total Profile Script score to be\n    indicative of key information security risk factors.\n\n\n\n                                               21\n\x0c                                                                                   APPENDIX I\n\n\n\xe2\x80\xa2   Considered the URSIT composite rating and institution asset size to be reflective of the\n    relative potential impact of those risk factors.\n\xe2\x80\xa2   Considered only banks with transactional Web sites and Profile Script risks types I-II or III\n    for selection.\n\nBecause of the size, complexity, and visibility of financial institutions with a Profile Script risk\ntype IV, we concluded there was a lower risk that they may not receive an appropriate level of\nsupervisory review, and thus, did not include financial institutions with a Profile Script risk\ntype IV in our sample.\n\nWe selected our sample from the New York, Kansas City, and San Francisco regions based on\nthe following considerations.\n\n\xe2\x80\xa2   The New York Region had the largest dollar-value financial institutions in our sample\n    population.\n\xe2\x80\xa2   The Kansas City Region had the largest number of financial institutions in our sample\n    population.\n\xe2\x80\xa2   The San Francisco Region had the most widely dispersed financial institutions in our\n    sample population.\n\nWe discussed our proposed sample with DSC management to explain our methodology and to\nensure that our sample would produce meaningful results. DSC provided suggestions\nregarding which regional offices, IT composite ratings, and institution asset sizes that we\nshould consider in selecting our sample. We incorporated these suggestions as appropriate,\nand performed the following audit steps:\n\n\xe2\x80\xa2   reviewed ROEs and supporting working paper documentation for the 12 sampled\n    examinations to evaluate consistency with the IT-RMP, and\n\xe2\x80\xa2   interviewed regional and field office DSC personnel responsible for implementing the\n    IT-RMP for the sampled IT examinations, including IT examiners.\n\nInternal Controls\n\nWe gained an understanding of relevant internal controls by reviewing: (1) FDIC\npolicies and procedures, such as Regional Directors Memoranda, related to the IT-RMP;\n(2) the IT examiner training curriculum; (3) FDIC procedures for assessing the adequacy\nof IT examination work; and (4) available FDIC documentation regarding the\nimplementation of IT examination and supervision procedures. In addition, we\ninterviewed DSC individuals involved in IT examinations, supervision, and IT training\nactivities.\n\nReliance on Computer-Based Data\n\nWe obtained certain data from DSC\xe2\x80\x99s ViSION system to identify IT examinations\nconducted subsequent to the August 15, 2005 implementation of the IT-RMP and to\nprovide historical data on the Profile Script scores and IT composite ratings for those\n\n\n                                                22\n\x0c                                                                             APPENDIX I\n\nexaminations. We did not assess the reliability of the computer-based data because these\ndata were not significant to our findings, conclusions, or recommendations.\n\nGovernment Performance and Results Act\n\nThe Government Performance and Results Act of 1993 directs federal agencies to\ndevelop a strategic plan and annual performance plans to help improve federal program\neffectiveness and service delivery. We reviewed the FDIC\xe2\x80\x99s Strategic Plan for 2005-\n2010, the FDIC 2005 Annual Performance Plan, and the FDIC 2006 Annual\nPerformance Plan. We determined that the FDIC did not have a strategic goal or\nobjective specifically related to IT examinations. However, the means and strategies the\nFDIC uses to achieve a strategic goal that FDIC-supervised institutions are safe and\nsound includes IT examinations in general, as stated in the FDIC 2005 Annual\nPerformance Plan:\n\n       The FDIC also continues to focus on the risks posed by technology. Both onsite\n       risk management and information technology examinations cover technology-\n       related activities to determine how each FDIC-supervised depository institution\n       manages risk in that area. The FDIC uses a monitoring system to proactively\n       identify and assess indicators of technology risks that may impact FDIC-\n       supervised institutions. The FDIC will also augment its general training\n       curriculum for examiners to include more training on technology issues.\n\nThe FDIC 2006 Annual Performance Plan includes similar means and strategies\ninformation and adds that, in regard to training, the Information Technology Examination\nCourse, which teaches examiners how to better integrate technology risk management,\nwill be revised as a result of the IT-RMP.\n\nWe reviewed the FDIC\xe2\x80\x99s Corporate Performance Objectives (CPO) for 2005 and 2006.\nWe determined that none of the 2005 or 2006 CPOs directly relate to the IT-RMP.\nHowever, two CPO goals indirectly relate to IT examinations:\n\n   \xe2\x80\xa2   Enhance the FDIC\xe2\x80\x99s ability to manage its insurance risk to include ensuring that\n       the supervision program effectively identifies and mitigates risk (as stated in the\n       2006 CPO).\n   \xe2\x80\xa2   Continue to improve the FDIC\xe2\x80\x99s risk management and compliance examination\n       programs by implementing the Relationship Manager Program (2005 CPO) and\n       enhancing the data security examination program for TSPs (2006 CPO).\n\nWe also reviewed DSC\xe2\x80\x99s 2006 Division Objectives and identified an action to update the\nDirectors\xe2\x80\x99 College ROE workshop and develop an Advanced Director\xe2\x80\x99s College. The\nplanned action states that the ROE update will include IT and compliance ratings and\ncorresponding comments.\n\n\n\n\n                                            23\n\x0c                                                                                           APPENDIX I\n\n\nFraud and Illegal Acts\n\nWe did not develop specific audit procedures to detect fraud and illegal acts because they\nwere not considered material to the audit objective. However, throughout the audit, we\nwere sensitive to the potential for fraud, waste, abuse, and mismanagement.\n\nLaws and Regulations\n\nIn conducting the audit, we considered the following laws, rules, and regulations.\n\n\xe2\x80\xa2     Gramm-Leach-Bliley Act. GLBA (15 United States Code (U.S.C.) \xc2\xa76801)\n      provides for the protection of nonpublic personal information. Each financial\n      institution has an obligation to respect the privacy of its customers and to protect the\n      security and confidentiality of those customers\' nonpublic personal information.\n      Each financial institution must establish administrative, technical, and physical\n      safeguards to ensure confidentiality of customer records and information; to protect\n      against any anticipated threats or hazards to the security or integrity of such records;\n      and to protect against unauthorized access to or use of such records or information\n      that could result in substantial harm or inconvenience to any customer.\n\xe2\x80\xa2     Fair and Accurate Credit Transactions Act of 2003 (FACT Act). This Act\n      amends the Fair Credit Reporting Act (15 U.S.C. \xc2\xa71681) by adding provisions\n      covering identity theft, consumers\xe2\x80\x99 access to credit information, enhanced consumer\n      report accuracy, and financial literacy.\n\xe2\x80\xa2     FDI Act Section 10 - Provisions Related to Examination Authority. The FDI\n      Act requires the FDIC to perform periodic "full scope" examinations of banks.\n      There is no specific requirement in the Act for the performance of IT examinations;\n      however, they are considered to be intended as part of the "full scope" provision.\n\xe2\x80\xa2     FDIC Rules and Regulations Part 364, Appendix B - Interagency Guidelines\n      Establishing Information Security Standards (Including Supplement A). These\n      guidelines establish standards for financial institution information security\n      programs, including administrative, technical, and physical safeguards; measures to\n      properly dispose of consumer information; and elements of a financial institution\xe2\x80\x99s\n      response program to address unauthorized access to, or use of, customer\n      information, including customer notification procedures.13\n\nPrior Audit Coverage\n\nThe OIG has conducted several prior audits on the FDIC\xe2\x80\x99s IT examination procedures\nand related efforts to protect sensitive customer information.\n\n\n\n13\n  According to FIL-27-2005, Guidance on Response Programs for Unauthorized Access to Customer\nInformation and Customer Notice, when an incident of unauthorized access to sensitive customer\ninformation involves information systems maintained by a bank\xe2\x80\x99s TSP, it is the institution\xe2\x80\x99s responsibility\nto notify its customers and regulator. However, a bank may contract with its TSP to notify the institution\xe2\x80\x99s\ncustomers or regulator on its behalf.\n\n\n                                                     24\n\x0c                                                                         APPENDIX I\n\n\n\xe2\x80\xa2   Audit Report No. 06-015, FDIC\xe2\x80\x99s Oversight of Technology Service Providers,\n    issued July 20, 2006. The objective was to assess the FDIC\xe2\x80\x99s examination\n    coverage of TSPs and related efforts to protect sensitive customer information. The\n    report made six recommendations to help the FDIC: (1) better identify and monitor\n    TSPs with access to sensitive customer information and (2) improve the process the\n    FDIC uses (in conjunction with the other FFIEC agencies) for assessing the risks\n    posed by, and prioritizing for examination, those TSPs with access to sensitive\n    customer information. DSC\xe2\x80\x99s response and proposed actions were sufficient to\n    resolve each recommendation.\n\n\xe2\x80\xa2   Audit Report No. 06-009, FDIC\xe2\x80\x99s Guidance to Institutions and Examiners for\n    Implementing the Gramm-Leach-Bliley Act Title V and the Fair and Accurate\n    Credit Transactions Act, issued February 24, 2006. The objective was to\n    determine whether the FDIC provided adequate guidance to FDIC-supervised\n    institutions and examiners for implementing the data privacy and security provisions\n    of the GLBA Title V and FACT Act. We recommended that the FDIC finalize the\n    interim examination guidance that addresses FACT Act provisions and develop, in\n    coordination with the joint-agency rulemaking committee, a more aggressive project\n    management plan to expedite the issuance of final rules and regulations for all\n    FACT Act provisions. DSC\xe2\x80\x99s responses and proposed actions were sufficient to\n    resolve each recommendation.\n\n\xe2\x80\xa2   Audit Report No. 04-022, FDIC\xe2\x80\x99s Information Technology Examination\n    Program, issued June 15, 2004. The objective of this audit was to determine\n    whether the FDIC\xe2\x80\x99s IT examinations provided reasonable assurance that IT risks\n    were being addressed by the risk management programs in FDIC-supervised\n    financial institutions. The audit also determined whether the FDIC had\n    implemented GLBA-related recommendations in OIG Audit Report No. 03-044,\n    The Federal Deposit Insurance Corporation\xe2\x80\x99s Progress in Implementing the\n    Gramm-Leach-Bliley Act, Title V \xe2\x80\x93 Privacy Provisions, dated September 26, 2003.\n    We recommended that DSC institute a standardized quality review of all phases of\n    the IT examination process and supporting documentation prior to issuance of IT\n    examination results. DSC\xe2\x80\x99s responses and proposed actions were sufficient to\n    resolve the recommendation.\n\n\n\n\n                                          25\n\x0c                                                                        APPENDIX II\n\n\n                          IT-RMP EXAMINATION STEPS\n\n\n\nStep                           Procedure                                Tool Used\n#1     Preplanning\n       Review prior/post examination documents; incorporate\n       management discussions, changes in technology, personnel     Technology Profile\n       and services, security incidents, and audit findings.        Script\n#2     Preplanning                                                  IT Examination\n       Send IT Examination Officer\xe2\x80\x99s Questionnaire to financial     Officer\xe2\x80\x99s\n       institution.                                                 Questionnaire\n#3     Risk Scoping                                                 Technology Profile\n       Gain an understanding of the financial institution\xe2\x80\x99s risk    Script and\n       management practices.                                        IT Examination\n                                                                    Officer\xe2\x80\x99s\n                                                                    Questionnaire\n#4     Scope Development\n       Develop a preliminary financial institution risk profile\n       based on historical and other information obtained during    IT Summary\n       preplanning and risk-scoping activities.                     Analysis\n#5     Onsite Examination Procedures                                IT Snapshot Work\n       Execute scope based on a preliminary assessment and          Program and IT\n       understanding of the financial institution\xe2\x80\x99s risk profile.   Summary Analysis\n#6     IT Composite Rating\n       Assign the rating at the conclusion of the examination       IT Summary\n       based on FFIEC ratings definitions.                          Analysis\n#7     Report Preparation\n       Document IT examination findings and prepare ROE             IT Summary\n       comments. Update ViSION.                                     Analysis\n\n\n\n\n                                           26\n\x0c                                                                                                                               APPENDIX III\n\n\n\n                                   IT EXAMINATION RESOURCE STRATEGY MATRIX\n\n         Institution Characteristics                    Examiner Skills Required                               Examiner Training\nType   Score\n I     0-49   -- Limited networking             -- Basic networking concepts*                     Required\n              -- Limited E-Banking activities   -- Ability to evaluate pre-exam                   -- Commissioned Examiner\n              -- Minimal external threats       questionnaire responses                           -- Annual IT refresher\n              -- Risks are centered in core     -- High-level core application procedures*        -- Computer-based training (various)\n              processing\n              -- No in-house programming        *Available in safety and soundness IT refresher   Recommended\n              -- Does not process core          training.                                         -- Information Technology Examination\n              applications for others                                                             Course (ITEC)\n\n                                                                                                  Note: Phase-in requirement for all\n                                                                                                  Commissioned Examiners to attend ITEC\n II           -- Limited networking             -- Basic network concepts                         Required\n              -- Limited E-Banking activities   -- Ability to evaluate pre-exam                   -- See Type I required training\n              -- Minimal external threats       questionnaire responses                           -- ITEC\n              -- Risks are centered in core     -- Ability to apply and complete IT\n              processing                        General Work Program                              Recommended\n                                                -- Vendor-specific knowledge for core             -- i-NET+, Network+, Security+*\n                                                processing systems                                -- Transmission Control Protocol/Internet\n                                                                                                  Protocol (TCP/IP)\n                                                                                                  -- Regional seminars\n                                                                                                  -- Begin OJT mentoring\n                                                                                                  -- FFIEC conference\n                                                                                                  * Intermediate IT courses.\n\n\n\n\n                                                                 27\n\x0c                                                                                                                               APPENDIX III\n\n\n\n\n        Institution Characteristics                         Examiner Skills Required                          Examiner Training\nType Score                                                           Type                          Score\n III   50-79   -- Networks are an integral element    -- Intermediate network concepts             Required\n               of technology operations               -- Ability to evaluate pre-exam              -- See Type II required training\n               -- E-Banking activities                questionnaire responses                      -- i-NET+, Network+, Security+\n               -- Threats = Type II threats and       -- Ability to apply and complete IT          -- TCP-IP\n               introduction of external threats       General Work Program                         -- Operating system platforms\n               -- Risk = Type II and exposure to      -- Vendor and device-specific knowledge      -- IT-OJT \xe2\x80\x93 intermediate\n               public networks and external           of all systems\n               breaches                                                                            Recommended\n                                                                                                   -- Flexible training\n                                                                                                   -- Firewalls, Intrusion Detection System\n                                                                                                   (IDS), virtual private networks (VPNs),\n                                                                                                   wireless, advanced platforms\n                                                                                                   -- Certifications\n                                                                                                   -- FFIEC conference\n                                                                                                   -- FDIC seminar\n IV     80-    -- Communication systems are           -- Advanced platform-specific knowledge      Required\n        130    critical to operations                 -- Advanced knowledge of networking &        -- See Type III required training\n               -- Widely distributed Internet         telecommunications concepts                  -- IS/OJT \xe2\x80\x93 Advanced\n               working                                -- High level of understanding of security   -- Firewalls, IDS, VPNs, wireless, advanced\n               -- Threats = Type III threats and      concepts                                     platforms\n               multiple external sources of threats\n               -- Risk = Type III and higher                                                       Recommended\n               administrative and security risks                                                   -- Flexible training\n                                                                                                   -- FDIC seminar\n                                                                                                   -- Certifications\n                                                                                                   -- Product specialization\n\n\n\n\n                                                                    28\n\x0c                                                                            APPENDIX IV\n\n\n              FFIEC\xe2\x80\x99s URSIT COMPOSITE RATINGS DEFINITIONS\n\nComposite 1\n\nFinancial institutions and service providers rated composite \xe2\x80\x9c1\xe2\x80\x9d exhibit strong\nperformance in every respect and generally have components rated \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2.\xe2\x80\x9d\nWeaknesses in IT are minor in nature and are easily corrected during the normal course\nof business. Risk management processes provide a comprehensive program to identify\nand monitor risk relative to the size, complexity, and risk profile of the entity. Strategic\nplans are well defined and fully integrated throughout the organization. This allows\nmanagement to quickly adapt to changing market, business, and technological needs of\nthe entity. Management identifies weaknesses promptly and takes appropriate corrective\naction to resolve audit and regulatory concerns. The financial condition of the service\nprovider is strong, and overall performance shows no cause for supervisory concern.\n\nComposite 2\n\nFinancial institutions and service providers rated composite \xe2\x80\x9c2\xe2\x80\x9d exhibit safe and sound\nperformance but may demonstrate modest weaknesses in operating performance,\nmonitoring, management processes, or system development. Generally, senior\nmanagement corrects weaknesses in the normal course of business. Risk management\nprocesses adequately identify and monitor risk relative to the size, complexity, and risk\nprofile of the entity. Strategic plans are defined but may require clarification, better\ncoordination, or improved communication throughout the organization. As a result,\nmanagement anticipates but responds less quickly to changes in market, business, and\ntechnological needs of the entity. Management normally identifies weaknesses and takes\nappropriate corrective action. However, greater reliance is placed on audit and regulatory\nintervention to identify and resolve concerns. The financial condition of the service\nprovider is acceptable, and while internal control weaknesses may exist, there are no\nsignificant supervisory concerns. As a result, supervisory action is informal and limited.\n\nComposite 3\n\nFinancial institutions and service providers rated composite \xe2\x80\x9c3\xe2\x80\x9d exhibit some degree of\nsupervisory concern due to a combination of weaknesses that may range from moderate\nto severe. If weaknesses persist, further deterioration in the condition and performance of\nthe institution or service provider is likely. Risk management processes may not\neffectively identify risks and may not be appropriate for the size, complexity, or risk\nprofile of the entity. Strategic plans are vaguely defined and may not provide adequate\ndirection for IT initiatives. As a result, management often has difficulty responding to\nchanges in business, market, and technological needs of the entity. Self-assessment\npractices are weak and are generally reactive to audit and regulatory exceptions. Repeat\nconcerns may exist, indicating that management may lack the ability or willingness to\nresolve concerns. The financial condition of the service provider may be weak, and/or\nnegative trends may be evident. While financial or operational failure is unlikely,\n\n\n\n                                             29\n\x0c                                                                             APPENDIX IV\n\nincreased supervision is necessary. Formal or informal supervisory action may be\nnecessary to secure corrective action.\n\nComposite 4\n\nFinancial institutions and service providers rated composite \xe2\x80\x9c4\xe2\x80\x9d operate in an unsafe and\nunsound environment that may impair the future viability of the entity. Operating\nweaknesses are indicative of serious managerial deficiencies. Risk management\nprocesses inadequately identify and monitor risk, and practices are not appropriate given\nthe size, complexity, and risk profile of the entity. Strategic plans are poorly defined and\nnot coordinated or communicated throughout the organization. As a result, management\nand the board are not committed to, or may be incapable of, ensuring that technological\nneeds are met. Management does not perform self-assessments and demonstrates an\ninability or unwillingness to correct audit and regulatory concerns. The financial\ncondition of the service provider is severely impaired and/or deteriorating. Failure of the\nfinancial institution or service provider may be likely unless IT problems are remedied.\nClose supervisory attention is necessary and, in most cases, formal enforcement action is\nwarranted.\n\nComposite 5\n\nFinancial institutions and service providers rated composite \xe2\x80\x9c5\xe2\x80\x9d exhibit critically\ndeficient operating performance and are in need of immediate remedial action.\nOperational problems and serious weaknesses may exist throughout the organization.\nRisk management processes are severely deficient and provide management little or no\nperception of risk relative to the size, complexity, and risk profile of the entity. Strategic\nplans do not exist or are ineffective, and management and the board provide little or no\ndirection for IT initiatives. As a result, management is unaware of, or inattentive to,\ntechnological needs of the entity. Management is unwilling or incapable of correcting\naudit and regulatory concerns. The financial condition of the service provider is poor,\nand failure is highly probable due to poor operating performance or financial instability.\nOngoing supervisory attention is necessary.\n\n\n\n\n                                              30\n\x0c                       APPENDIX V\n\n\nCORPORATION COMMENTS\n\n\n\n\n         31\n\x0c     APPENDIX V\n\n\n\n\n32\n\x0c     APPENDIX V\n\n\n\n\n33\n\x0c     APPENDIX V\n\n\n\n\n34\n\x0c                                                                                                                                                 APPENDIX VI\n\n\n\n                                           MANAGEMENT RESPONSE TO RECOMMENDATIONS\nThis table presents the management response on the recommendations in our report and the status of the recommendations as of the\ndate of report issuance.\n                                                                                                                                      Open\n Rec.                                                                       Expected              Monetary       Resolved:a            or\nNumber          Corrective Action: Taken or Planned/Status               Completion Date          Benefits       Yes or No           Closedb\n               DSC will incorporate these\n     1-5       recommendations into its planned                         September 30, 2007             0             Yes               Open\n               evaluation of the first year of performance\n               under the IT-RMP program and issue\n               additional guidance where necessary.\n    6 and 7    DSC will review its training processes and\n               determine if enhancements are needed.                    September 30, 2007             0             Yes               Open\n\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n              (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n              (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as\n                   management provides an amount.\nb\n    Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.\n\n\n\n\n                                                                                  35\n\x0c'